WinSecWiki > Security Settings > Account Policies > Lockout Policy

Windows Account Lockout Policy

Account lockout is a useful method for slowing down online password-guessing attacks as well as to compensate for weak password policies. These three policies work together to limit the number of consecutive, within a period of time, logon attempts that fail due to a bad password.

To strengthen account lockout policy, increase Account lockout duration, decrease Account lockout threshold and increase Reset account lockout counter after. Making these policies too strict though can lead to premature account lockouts and increased helpdesk support calls.

Policy Scope

All of the settings in this section apply either to domain accounts in Active Directory or local accounts on member servers. See the article "Account Policies Explained" at the upper level. Also see the article "Fine Grained Password and Lockout Policy".

Policies

Example policies

The following policy is too weak; it would only trigger lockouts for very brazen password guessing attacks.

  • Account lockout duration: 5 minutes
  • Account lockout threshold: 15 invalid logon attempts
  • Reset account lockout after: 5 minutes

The following policy will limit an attacker to 10 consecutive logon attempts during any 24 hour period and require an administrator to unlock the account:

  • Account lockout duration: 1440 minutes
  • Account lockout threshold: 10 invalid logon attempts
  • Reset account lockout after: 0 minutes

Troubleshooting

Administrators frequently struggle with repeated unexplained and seemingly spontaneous account lockouts for a given user account. This is frequently due to a workstation where a user account remains logged on after that account’s password been changed elsewhere. But there are many other possible reasons including stored credentials, programs that cache credentials, scheduled tasks, services, persistent track mappings, Active Directory replication problems and disconnected Terminal Services sessions.

Microsoft has produced a number of resources to help diagnose this problem.

Remember that, for domain accounts, Active Directory enforces just one account lockout policy for all domain user accounts in the entire domain. This policy is defined in the Default Domain Policy GPO linked to the root of the command. See upper level for more information.

Child articles:

Back to top

 

Upcoming Webinars
    Additional Resources